os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add EN-20:10, EN-20:11, and SA-20:17.

Browse source 
Approved by:	so
This commit is contained in:
Gordon Tetlow 2020-06-09 16:36:54 +00:00
parent c611a1a50b
commit 3780d66dd0
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=54224
11 changed files with 705 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

147
share/security/advisories/FreeBSD-EN-20:11.ena.asc Normal file
View file

@ -0,0 +1,147 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:11.ena Errata Notice
The FreeBSD Project
Topic: Stability issues in ena(4) driver
Category: core
Module: ena
Announced: 2020-06-09
Credits: Colin Percival
Affects: FreeBSD 12.1
Corrected: 2020-05-12 18:44:41 UTC (stable/12, 12.1-STABLE)
2020-06-09 16:10:57 UTC (releng/12.1, 12.1-RELEASE-p6)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The ena(4) driver is used to access the Elastic Network Adapter network
interface on recent Amazon Elastic Compute Cloud (EC2) instances. It is
designed to make full use of the EC2 network, operating at up to 100 Gbps.
II. Problem Description
The ena(4) driver attempts to allocate a large number of 16 kB mbuf clusters
to use as buffers for received packets. Under low memory conditions, the
process of attempting to allocate these buffers may take a long time.
On FreeBSD 12.x, these allocations are attempted from an interrupt thread
running at high priority, and can subsequently starve other parts of the
system of CPU time.
It appears that systems using the ZFS filesystem may be more likely to
experience this issue, possibly due to the memory pressure created by the
allocation of memory to the ZFS ARC.
III. Impact
The system may become unresponsive, appearing to "lock up" for periods of
several seconds. The ena(4) driver may log errors such as
The number of lost tx completion is above the threshold (129 > 128).
and reset the device; the nvme(4) driver may also experience timeouts
resulting in a range of errors being reported and the device being reset,
and in some cases causing kernel panics.
IV. Workaround
No workaround is available. Systems which are not part of the Amazon
Elastic Compute Cloud (EC2) are not affected; nor are older EC2 instance
types, which lack the Elastic Network Adapter hardware.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 12.1]
# fetch https://security.FreeBSD.org/patches/EN-20:11/ena.patch
# fetch https://security.FreeBSD.org/patches/EN-20:11/ena.patch.asc
# gpg --verify ena.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
NOTE: This patch can have a small (~2%) impact on the throughput of the
ena(4) device. The original performance can be restored -- at the expense
of latency spikes and system instability under memory pressure -- by adding
the following to /boot/loader.conf:
hw.ena.enable_9k_mbufs="1"
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r360985
releng/12.1/ r361970
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:11.ena.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuERfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cITew/+MQpJIKHrlWjqcR9fvAeqR4rX3aBVNMkambeTa2nKY4/PH8XzVLnKvyuE
O7ZtzaU3bz5xYkyYnlYSGstTRWk/BRCRgpZvzlPWVsvsFINgCHO5QsKHVyC0+/M2
Do3qRwxYDYPh0+Bz8QGuQGmpfMNpsuA//rfa12Ywp7jqu3IP8+0bBuWM71J7Bkyf
WhEJIehFiU9iGUFS2LF7000CzIwmcTitCtYJFxxwaYYHGHT5nMtljcrsKK9I1N+Q
f3mQ7dK8ryQ+H+CupfHodAYUeZyJbj/xVggdnzY45R1B9Tdr15VMPuurcqXyXIft
Uj4UzdDUNgbUw4WQqfvqn8CDAT0V54NRhDs8AkYWn+GqaDDSnvcsKnI/V2UJgqTn
Wp8ZClq7bF0mcBp7g1t97peseZsP+papJKsaVLKrTT+dw1x/aWz1cvK51x5UPWoW
qaiFVMf5l9R0ZDcQxsyN/7gyHnZRR8X1wl1gVPVcJ8EEWs6Gh4sRTzXSDMDqsA/P
89hA6vPVeOmBqKM3BlR8MrDPIALjzxNvzu65NMLMcebyPudaY9a2GEd8acw6mwxh
hQ015y9+MoMV8xD3gfjNLdQS7899eK1MwXu1UZPcUEOlYErAhjoGo51N4D6mfU62
7sDoy2Yt380Nmp57nUoanHkADzXPn8OV8fvlsTN6a0J4ZLu+KNM=
=FDu4
-----END PGP SIGNATURE-----

127
share/security/advisories/FreeBSD-EN-20:12.iflib.asc Normal file
View file

@ -0,0 +1,127 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-20:12.iflib Errata Notice
The FreeBSD Project
Topic: iflib watchdog timeout resetting idle queues
Category: core
Module: kernel
Announced: 2020-06-09
Affects: FreeBSD 12.1
Corrected: 2020-01-10 18:29:05 UTC (stable/12, 12.1-STABLE)
2020-06-09 16:11:54 UTC (releng/12.1, 12.1-RELEASE-p6)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
iflib is a framework that contains common code for network drivers to use,
reducing code duplication. One function it contains is a "watchdog" that
periodically checks the driver's software Tx queues to see if they're hung.
II. Problem Description
The iflib watchdog would sometimes trigger a false positive queue hang just
after a link state change.
III. Impact
The iflib framework would print messages for the affected devices such as
"igb0: TX(2) desc avail = 1024, pidx = 0"
and would stop allowing Tx traffic to be sent.
IV. Workaround
No workaround is available. Systems that do not use iflib-based interfaces
are not vulnerable.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for errata update"
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-20:12/iflib.patch
# fetch https://security.FreeBSD.org/patches/EN-20:12/iflib.patch.asc
# gpg --verify iflib.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r356605
releng/12.1/ r361971
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239240>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-20:12.iflib.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuQlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJl3RAAhIgmZfpK3r2qBuwC0EypnqtndvjEHGTTdcUhwY0iBjrDxt6AnHPMO/i/
DEZkNJI6uCxSaybjVcnNob7lJ4p2o9rrAF+pExR4LycxJa0y8oZM5xIdqwwfY484
Tge4/N4garWeA0ALetGXCrAf62t7ZLRgyWldH4tt4m0Mu7AIGkfPGivWK6kpmB5c
O/GKv6fe4TiyPSAQroUQrNawdO9tQTDhXjGknRZ3iyu9tp/zeOkgtMAEnc3zdv0T
J3sFqGGt/Mt2dL0KoqfUNK54k5vgUU+oV22+z2pf9TGtby4yUq0FTOxl+V5qE6hk
aQHndYgklOo56AaSkA3GW1DoIOyU7VQtsA5hpbHXotiJo1P5BoNIa3IwMfLBmW45
sD7f/vpyX5Mga9KqcvYIgRxCNvYpu8Dq0nKiVQboABAdplFLorTdHPJmSqmeoomO
diEQk3cSotrav1b8xl2IfZYk8TaC5B7gm9UuU6ag6UM/vasr1kRcz5+7DxDOCP1d
2CbaKqPnpGAxyGmd+DLO7EMkOIBPiKfoCtBfgLXRypD6ypEW/xAUmGtR6yIFCtJ/
USAHRwrm0jteVOXYrpS3cvBYsXkEowcMK1n8ghIqUfDHtvebLK2m5ubhF2E1F0Gv
6Nw6i0dt1Csrhg7CyrWqzY83iB7N3tPvqN45QaFMEBRqnnsLPpQ=
=VqeW
-----END PGP SIGNATURE-----

133
share/security/advisories/FreeBSD-SA-20:17.usb.asc Normal file
View file

@ -0,0 +1,133 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-20:17.usb Security Advisory
The FreeBSD Project
Topic: USB HID descriptor parsing error
Category: core
Module: kernel
Announced: 2020-06-09
Credits: Andy Nguyen, Google
Affects: All supported versions of FreeBSD.
Corrected: 2020-06-08 09:32:57 UTC (stable/12, 12.1-STABLE)
2020-06-09 16:13:54 UTC (releng/12.1, 12.1-RELEASE-p6)
2020-06-08 09:33:37 UTC (stable/11, 11.4-STABLE)
2020-06-09 16:13:54 UTC (releng/11.4, 11.4-RC2-p1)
2020-06-09 16:13:54 UTC (releng/11.3, 11.3-RELEASE-p10)
CVE Name: CVE-2020-7456
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
USB Human Interface Device (HID) descriptors may push/pop the current state
to allow description of items residing in a so-called union. FreeBSD
supports 4 such pop levels.
II. Problem Description
If the push/pop level is not restored within the processing of the same HID
item, an invalid memory location may be used for subsequent HID item
processing.
III. Impact
An attacker with physical access to a USB port may be able to use a specially
crafted USB device to gain kernel or user-space code execution.
IV. Workaround
Setting "sysctl hw.usb.disable_enumeration=1" disables USB device
enumeration preventing the error from occurring.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-20:17/usb.patch
# fetch https://security.FreeBSD.org/patches/SA-20:17/usb.patch.asc
# gpg --verify usb.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r361918
releng/12.1/ r361972
stable/11/ r361919
releng/11.4/ r361972
releng/11.3/ r361972
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7456>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:17.usb.asc>
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuFhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJ4Iw/6AuTNBD33WaEZTW7mAfigc1sp8cjnKCvm+DObx1CNpSr9fxiy+Dy5DMjg
/Hv4ijv4flte3txXohdXvYcAKqYrbP1BBr6ptlQYE/V+61sTtxV18XGnID1fgSOZ
WPHGaXMAUNeeVxJSEVJ5rJ+lRo90Rlp/n9pMZlU+tIDFjE0BQ5lJkicg/xgFO9rg
tRaeotoXmdNo3HlkMfXnIZ8q5tOQrcsfSZP6DgQWKspinCJTVTr1eQ9p6mHNV7Ip
XZGuXNaktYxwNk2oWP2dmk6FAkyldReyi856DurhOldmAxPbY5zh4NfwOuL78pSa
draF1up4Vkb/aSQHN1xkaOjlBEmLYHgzND83M9gnE2RdtGVLeerI6Gdd6Pp4D8a2
vPgWZOQfO82lUjSx/B/XHCA0Ztu4uinPuCkrf9vcteg/juJxQRRyFWUfqGbo3qpC
U9a1AN9Ojgy0eFDKTo7vWUf34kB1RApEEt3y3XNwwbwDWtKdWMRLJfD4oIhbB6Re
URYpBUv5wnkhOq5LR15VJc6jL/DZxqsjByALwtnEdNH6bAYM+6WTmnTYFgUyuvlF
n2tZeD5LXM0GLs377edmAeGR7TUd+rFfndEGFKiDXeSNrmb0Ro6E4vvbUwu5PalA
kf+suJS0noAH+SPmk0YyxKm12plPxyO2zLFIMRpjWz6v1joH+Qk=
=4v1s
-----END PGP SIGNATURE-----

87
share/security/patches/EN-20:11/ena.patch Normal file
View file

@ -0,0 +1,87 @@
--- sys/dev/ena/ena.c.orig
+++ sys/dev/ena/ena.c
@@ -200,6 +200,19 @@
SYSCTL_INT(_hw_ena, OID_AUTO, log_level, CTLFLAG_RWTUN,
&ena_log_level, 0, "Logging level indicating verbosity of the logs");
+/*
+ * Use 9k mbufs for the Rx buffers. Default to 0 (use page size mbufs instead).
+ * Using 9k mbufs in low memory conditions might cause allocation to take a lot
+ * of time and lead to the OS instability as it needs to look for the contiguous
+ * pages.
+ * However, page size mbufs has a bit smaller throughput than 9k mbufs, so if
+ * the network performance is the priority, the 9k mbufs can be used.
+ */
+int ena_enable_9k_mbufs = 0;
+SYSCTL_INT(_hw_ena, OID_AUTO, enable_9k_mbufs, CTLFLAG_RDTUN,
+ &ena_enable_9k_mbufs, 0, "Use 9 kB mbufs for Rx descriptors");
+#define ena_mbuf_sz (ena_enable_9k_mbufs ? MJUM9BYTES : MJUMPAGESIZE)
+
static ena_vendor_info_t ena_vendor_info_array[] = {
{ PCI_VENDOR_ID_AMAZON, PCI_DEV_ID_ENA_PF, 0},
{ PCI_VENDOR_ID_AMAZON, PCI_DEV_ID_ENA_LLQ_PF, 0},
@@ -470,6 +483,7 @@
rxr->que = que;
rxr->empty_rx_queue = 0;
+ rxr->rx_mbuf_sz = ena_mbuf_sz;
}
}
@@ -548,9 +562,9 @@
ENA_DMA_BIT_MASK(adapter->dma_width), /* lowaddr of excl window */
BUS_SPACE_MAXADDR, /* highaddr of excl window */
NULL, NULL, /* filter, filterarg */
- MJUM16BYTES, /* maxsize */
+ ena_mbuf_sz, /* maxsize */
adapter->max_rx_sgl_size, /* nsegments */
- MJUM16BYTES, /* maxsegsize */
+ ena_mbuf_sz, /* maxsegsize */
0, /* flags */
NULL, /* lockfunc */
NULL, /* lockarg */
@@ -957,7 +971,8 @@
return (0);
/* Get mbuf using UMA allocator */
- rx_info->mbuf = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES);
+ rx_info->mbuf = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR,
+ rx_ring->rx_mbuf_sz);
if (unlikely(rx_info->mbuf == NULL)) {
counter_u64_add(rx_ring->rx_stats.mjum_alloc_fail, 1);
@@ -968,7 +983,7 @@
}
mlen = MCLBYTES;
} else {
- mlen = MJUM16BYTES;
+ mlen = rx_ring->rx_mbuf_sz;
}
/* Set mbuf length*/
rx_info->mbuf->m_pkthdr.len = rx_info->mbuf->m_len = mlen;
--- sys/dev/ena/ena.h.orig
+++ sys/dev/ena/ena.h
@@ -41,7 +41,7 @@
#define DRV_MODULE_VER_MAJOR 0
#define DRV_MODULE_VER_MINOR 8
-#define DRV_MODULE_VER_SUBMINOR 4
+#define DRV_MODULE_VER_SUBMINOR 5
#define DRV_MODULE_NAME "ena"
@@ -238,8 +238,12 @@
/* Determines if device will use LLQ or normal mode for TX */
enum ena_admin_placement_policy_type tx_mem_queue_type;
- /* The maximum length the driver can push to the device (For LLQ) */
- uint8_t tx_max_header_size;
+ union {
+ /* The maximum length the driver can push to the device (For LLQ) */
+ uint8_t tx_max_header_size;
+ /* The maximum (and default) mbuf size for the Rx descriptor. */
+ uint16_t rx_mbuf_sz;
+ };
struct ena_com_rx_buf_info ena_bufs[ENA_PKT_MAX_BUFS];

18
share/security/patches/EN-20:11/ena.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuG1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJufBAAkAgRwDCM4+HShm0Zag36TMJDelC7b3IeBd+NkwLvWHZvThcqbFEEr7xw
X19EceBGVwapmKvMDWtJRZst8NTpRNBzxoN4aAg6a/cVQwWFUD9rGp65pAyLL0FT
QBDyRZCEaSCzbu/hDSP3sD8okv+76lrlOInWkVq9SVhSxG3oWdufnmaosjgNlWDN
JPU8soIf3eLCxehmGmSGJHwZo7ZZ6kC/41kVmmEHRG7aNwmSE3wu+Ih3bN7DA0PL
UyUcpNAG3Bt+vm2hc/yIIv0QJUX+bXLMmaF2o2fTmPoqITHxeeCkt6HXT0176i+P
gs4t0bJ7PeDy3GTy7VIYJJyPkA53ZqYsxLGm43dZMqGsKPH1j1wNBZ34KpPgcU0W
8NukbpLxVpr00wMn992dG0fzowZSs1wk6woLwS//PBgxgEp10Eo9KUglWXnA2fHR
ciTtzY6coDO7raUvPq0UHE3onyt9Mz5vkhNJ0yL6Ra+LyNX2gu3YmJSeNtfeossY
V/ni+Eo/kCNW6yBBhp4YVPnmkTISRLIYTIav+NYhlUp+Jqd9m2ziJbzm+Dsk9aUT
lbAOwoHde6OZxJO5SyX0bdVE2+vzuOANQT64kP3uh8wbPGYWN6q3FAucctMIaJ9e
hLoYn+p3lnQmgg6yEVRJkWJeNs1mRzPDGq6asgYZJiAZAGiwvKA=
=3wLT
-----END PGP SIGNATURE-----

15
share/security/patches/EN-20:12/iflib.patch Normal file
View file

@ -0,0 +1,15 @@
--- sys/net/iflib.c.orig
+++ sys/net/iflib.c
@@ -2301,8 +2301,11 @@
(sctx->isc_pause_frames == 0)))
goto hung;
- if (ifmp_ring_is_stalled(txq->ift_br))
+ if (txq->ift_qstatus != IFLIB_QUEUE_IDLE &&
+ ifmp_ring_is_stalled(txq->ift_br)) {
+ KASSERT(ctx->ifc_link_state == LINK_STATE_UP, ("queue can't be marked as hung if interface is down"));
txq->ift_qstatus = IFLIB_QUEUE_HUNG;
+ }
txq->ift_cleaned_prev = txq->ift_cleaned;
}
#ifdef DEV_NETMAP

18
share/security/patches/EN-20:12/iflib.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuHRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cLzsA/+N7MQ0mOSS3yDLZQkq90Yg7ohwmKo+HWPLeFGVkL/iZzIavouNHJ61Ayt
BQSO0qHtcCOZulb1o36HwC48uGdiNbb32xO2zEmV0Ieu068iSK3oiRraYVzBBHCI
7CtROQy0nP0a12wvEqvYnUC4VGD/IEswhaEvzM4d+pNxg0CUSxh/svbSifizckf8
kVPALJSawd8Dw67AfhFXjdl8xUSIG+uspqC/Yg2dOljbSZ9Yb5Kr0iO2a+aOxm6v
wboT1b77kQFMwQ7VMMX1rAnJigwliZ3qnwXa8Plrp+yNbOZDaHvOTTRNrB3tnTCJ
WVKwsfRdlQ6q6xtQJDUsWv8/MQ5p1Xfp9iJbV8PF/mvaCAWUT0i9+WIzDiME3sRM
gpyfMZCdUFW1bsQMlwSVY20y0+gWLs5qwHxsUDkdvw5P0ze78XwfXJJxI7qyoM9R
RfqeOwTPfKdMI1ggeInVbESsGL2K3VDzzkXFmeXSIPv4v6jLTn+UgaoOjHI8M7e9
6B+82hgR4C65YVs7zPa5ZdSSvhDswJC4rzMLIrNVa5PIkeZVv9civ124P78sxeUX
4ckrcB1lmCwZNtp0/5+iC+z2OWhwN6kFS+AA0Mmf+PRDM/8kfLbylQV1l9qRdb5Q
POEI4z8zxDnHlUAXqz8/wO5/dzWmEUG0ymvzFDflCUd4+NzfI6o=
=qyuD
-----END PGP SIGNATURE-----

112
share/security/patches/SA-20:17/usb.patch Normal file
View file

@ -0,0 +1,112 @@
--- lib/libusbhid/parse.c.orig
+++ lib/libusbhid/parse.c
@@ -403,26 +403,28 @@
s->loc_count = dval & mask;
break;
case 10: /* Push */
+ /* stop parsing, if invalid push level */
+ if ((s->pushlevel + 1) >= MAXPUSH)
+ return (0);
s->pushlevel ++;
- if (s->pushlevel < MAXPUSH) {
- s->cur[s->pushlevel] = *c;
- /* store size and count */
- c->report_size = s->loc_size;
- c->report_count = s->loc_count;
- /* update current item pointer */
- c = &s->cur[s->pushlevel];
- }
+ s->cur[s->pushlevel] = *c;
+ /* store size and count */
+ c->report_size = s->loc_size;
+ c->report_count = s->loc_count;
+ /* update current item pointer */
+ c = &s->cur[s->pushlevel];
break;
case 11: /* Pop */
+ /* stop parsing, if invalid push level */
+ if (s->pushlevel == 0)
+ return (0);
s->pushlevel --;
- if (s->pushlevel < MAXPUSH) {
- c = &s->cur[s->pushlevel];
- /* restore size and count */
- s->loc_size = c->report_size;
- s->loc_count = c->report_count;
- c->report_size = 0;
- c->report_count = 0;
- }
+ c = &s->cur[s->pushlevel];
+ /* restore size and count */
+ s->loc_size = c->report_size;
+ s->loc_count = c->report_count;
+ c->report_size = 0;
+ c->report_count = 0;
break;
default:
break;
--- sys/dev/usb/usb_hid.c.orig
+++ sys/dev/usb/usb_hid.c
@@ -436,36 +436,36 @@
s->loc_count = dval & mask;
break;
case 10: /* Push */
+ /* stop parsing, if invalid push level */
+ if ((s->pushlevel + 1) >= MAXPUSH) {
+ DPRINTFN(0, "Cannot push item @ %d\n", s->pushlevel);
+ return (0);
+ }
s->pushlevel ++;
- if (s->pushlevel < MAXPUSH) {
- s->cur[s->pushlevel] = *c;
- /* store size and count */
- c->loc.size = s->loc_size;
- c->loc.count = s->loc_count;
- /* update current item pointer */
- c = &s->cur[s->pushlevel];
- } else {
- DPRINTFN(0, "Cannot push "
- "item @ %d\n", s->pushlevel);
- }
+ s->cur[s->pushlevel] = *c;
+ /* store size and count */
+ c->loc.size = s->loc_size;
+ c->loc.count = s->loc_count;
+ /* update current item pointer */
+ c = &s->cur[s->pushlevel];
break;
case 11: /* Pop */
+ /* stop parsing, if invalid push level */
+ if (s->pushlevel == 0) {
+ DPRINTFN(0, "Cannot pop item @ 0\n");
+ return (0);
+ }
s->pushlevel --;
- if (s->pushlevel < MAXPUSH) {
- /* preserve position */
- oldpos = c->loc.pos;
- c = &s->cur[s->pushlevel];
- /* restore size and count */
- s->loc_size = c->loc.size;
- s->loc_count = c->loc.count;
- /* set default item location */
- c->loc.pos = oldpos;
- c->loc.size = 0;
- c->loc.count = 0;
- } else {
- DPRINTFN(0, "Cannot pop "
- "item @ %d\n", s->pushlevel);
- }
+ /* preserve position */
+ oldpos = c->loc.pos;
+ c = &s->cur[s->pushlevel];
+ /* restore size and count */
+ s->loc_size = c->loc.size;
+ s->loc_count = c->loc.count;
+ /* set default item location */
+ c->loc.pos = oldpos;
+ c->loc.size = 0;
+ c->loc.count = 0;
break;
default:
DPRINTFN(0, "Global bTag=%d\n", bTag);

18
share/security/patches/SA-20:17/usb.patch.asc Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN PGP SIGNATURE-----
iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl7fuHtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJLJQ//f4TcAEnnsKfnofV3rXJpfzYvmVwiSfTjZjqqtkFPOmr2tiL3HHARS1XP
uYO4wC42dkzWt+P1VC5qggzaBSno3npXSKhGuMKz8xYnOLTuxec/A8cEWxKJU2o7
LofYtF3reX4nn2nASngrL7ZraGTcqyG5YGSQrrmY4l1v+M0Cn9+pAy0vGig1Sb0F
nWvf29W3GOCHSxuUv4BL9/EDTufxbbHa5+dYJkXzlwqGoVh1XKw3eB83CsdRJA1G
TF06PPTAiyn4p+YDCnpbjLJ2uiAeCl3wRoVUcMupjwq/R3CAVTS6NonSBS+Y8okB
BxOtkGUwkTLPBcFmmH5zpUM7m1T8vgm8tlTbyYAQCxXG+JZ0iAWYSTFwt9iUdLPg
hkgQOrtbQxxqiOaecS0jFhDXN0H1QZwZZd9cmDRk73s3CMawL7yXFBgwYUYo293d
JWbHBJh0LFYr9lSk3pbIWgbm/0NTGLbYG6sny0k4jFlPU1FnHAJ01LHeAEAndfay
OL/2urC7WYCowXs/GxjCH9sYkZiE8M59NEfd3N9yk5n8uGWevaLV9Nuv9LT7kHWX
+vVy3rbi+G0CLDiS9RnYTu4R2z/+8viuOy5yJlY6BiS7U760slhmVIVVqVOEveC7
CGThrfTmVdmQo+2rn3PZrhlCs+YZ6+rIJD+7fB4Ud4yoxVQe93U=
=L/yA
-----END PGP SIGNATURE-----

13
share/xml/advisories.xml
View file

@ -7,6 +7,19 @@
<year>
<name>2020</name>
<month>
<name>6</name>
<day>
<name>9</name>
<advisory>
<name>FreeBSD-SA-20:17.usb</name>
</advisory>
</day>
</month>
<month>
<name>5</name>

17
share/xml/notices.xml
View file

@ -7,6 +7,23 @@
<year>
<name>2020</name>
<month>
<name>6</name>
<day>
<name>9</name>
<notice>
<name>FreeBSD-EN-20:12.iflib</name>
</notice>
<notice>
<name>FreeBSD-EN-20:11.ena</name>
</notice>
</day>
</month>
<month>
<name>5</name>